def test_list_metadata_annotations(self): current_dir = os.path.dirname(os.path.realpath(__file__)) scan_file_path = os.path.join(current_dir, "list_annotation", "example.yaml") file_rel_path = os.path.relpath(scan_file_path) runner = Runner() try: runner.run(root_folder=None, external_checks_dir=None, files=[file_rel_path], runner_filter=RunnerFilter(framework='kubernetes')) except: self.assertTrue(False, "Could not run K8 runner on configuration")
def test_summary(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_WildcardRoles" report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() passing_resources = { 'Role.test-should-pass-3.test', 'Role.test-should-pass-2.test' } failing_resources = { 'Role.test-should-fail-1.test', 'Role.test-should-fail-2.test', 'ClusterRole.test-should-fail-3.test' } self.assertEqual(summary['passed'], 2) self.assertEqual(summary['failed'], 3) self.assertEqual(summary['skipped'], 0) self.assertEqual(summary['parsing_errors'], 0) passed_check_resources = set([c.resource for c in report.passed_checks]) failed_check_resources = set([c.resource for c in report.failed_checks]) self.assertEqual(passing_resources, passed_check_resources) self.assertEqual(failing_resources, failed_check_resources)
def test_record_relative_path_with_abs_file(self): # test whether the record's repo_file_path is correct, relative to the CWD (with a / at the start). # this is just constructing the scan dir as normal current_dir = os.path.dirname(os.path.realpath(__file__)) scan_file_path = os.path.join(current_dir, "resources", "example.yaml") file_rel_path = os.path.relpath(scan_file_path) file_abs_path = os.path.abspath(scan_file_path) runner = Runner() checks_allowlist = ['CKV_K8S_21'] report = runner.run(root_folder=None, external_checks_dir=None, files=[file_abs_path], runner_filter=RunnerFilter( framework='kubernetes', checks=checks_allowlist)) all_checks = report.failed_checks + report.passed_checks self.assertGreater( len(all_checks), 0) # ensure that the assertions below are going to do something for record in all_checks: # no need to join with a '/' because the CFN runner adds it to the start of the file path self.assertEqual(record.repo_file_path, f'/{file_rel_path}')
def test_record_relative_path_with_relative_dir(self): # test whether the record's repo_file_path is correct, relative to the CWD (with a / at the start). # this is just constructing the scan dir as normal current_dir = os.path.dirname(os.path.realpath(__file__)) scan_dir_path = os.path.join(current_dir, "resources") # this is the relative path to the directory to scan (what would actually get passed to the -d arg) dir_rel_path = os.path.relpath(scan_dir_path) runner = Runner() checks_allowlist = ['CKV_K8S_21'] report = runner.run(root_folder=dir_rel_path, external_checks_dir=None, runner_filter=RunnerFilter( framework='kubernetes', checks=checks_allowlist)) all_checks = report.failed_checks + report.passed_checks self.assertTrue( len(all_checks) > 0) # ensure that the assertions below are going to do something for record in all_checks: # no need to join with a '/' because the CFN runner adds it to the start of the file path self.assertEqual(record.repo_file_path, f'/{dir_rel_path}{record.file_path}')
def test_summary_skip_check(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_PSP" report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(skip_checks=[check.id])) for record in report.failed_checks: self.assertNotEqual(record.check_id,check.id,"check should be skipped")
def test_summary(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_ApiServerAnonymousAuth" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() self.assertEqual(summary['passed'], 1) self.assertEqual(summary['failed'], 2) self.assertEqual(summary['skipped'], 0) self.assertEqual(summary['parsing_errors'], 0)
def test_parse_with_empty_blocks(self): current_dir = os.path.dirname(os.path.realpath(__file__)) scan_file_path = os.path.join(current_dir, "resources", "example_multiple.yaml") file_rel_path = os.path.relpath(scan_file_path) runner = Runner() try: report = runner.run(root_folder=None, external_checks_dir=None, files=[file_rel_path], runner_filter=RunnerFilter(framework='kubernetes')) # just check that something was parsed and scanned self.assertGreater(len(report.failed_checks) + len(report.passed_checks), 0) except: self.assertTrue(False, "Could not run K8 runner on configuration")
def test_summary(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_NginxIngressCVE202125742" report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() self.assertEqual(summary['passed'], 3) self.assertEqual(summary['failed'], 1) self.assertEqual(summary['skipped'], 0) self.assertEqual(summary['parsing_errors'], 0)
def test_summary(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_DefaultServiceAccountBinding" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() self.assertEqual(summary['passed'], 3) self.assertEqual(summary['failed'], 2) self.assertEqual(summary['skipped'], 0) self.assertEqual(summary['parsing_errors'], 0)
def test_summary(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_PeerClientCertAuthTrue" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() self.assertEqual(1, summary['passed']) self.assertEqual(2, summary['failed']) for failed in report.failed_checks: self.assertIn("should-fail", failed.resource) for passed in report.passed_checks: self.assertIn("should-pass", passed.resource)
def test_summary(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) check = KubernetesCheck() test_files_dir = current_dir + "/example_WildcardEntities" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() registry.wildcard_checks['container?'].remove(check) registry.wildcard_checks['Pod*Policy'].remove(check) self.assertEqual(summary['passed'], 2) self.assertEqual(summary['failed'], 0) self.assertEqual(summary['skipped'], 0) self.assertEqual(summary['parsing_errors'], 0)
def test_summary(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_EtcdAutoTls" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() self.assertEqual(summary['passed'], 2) self.assertEqual(summary['failed'], 1) self.assertEqual(summary['skipped'], 0) self.assertEqual(summary['parsing_errors'], 0) for failed in report.failed_checks: self.assertTrue("should-fail" in failed.resource) for passed in report.passed_checks: self.assertTrue("should-pass" in passed.resource)
def test_summary(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_ApiServerAuthorizationModeNotAlwaysAllow" report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() self.assertEqual(summary['passed'], 2) self.assertEqual(summary['failed'], 2) self.assertEqual(summary['skipped'], 0) self.assertEqual(summary['parsing_errors'], 0) for failed in report.failed_checks: self.assertIn("should-fail", failed.resource) for passed in report.passed_checks: self.assertIn("should-pass", passed.resource)
def test_summary(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_KubeControllerManagerServiceAccountCredentials" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() self.assertEqual(1, summary['passed']) self.assertEqual(1, summary['failed']) self.assertEqual(0, summary['skipped']) self.assertEqual(0, summary['parsing_errors']) for failed in report.failed_checks: self.assertIn("should-fail", failed.resource) for passed in report.passed_checks: self.assertIn("should-pass", passed.resource)
def test_summary(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_ApiServerAdmissionControlEventRateLimit" report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() self.assertEqual(summary['passed'], 1) self.assertEqual(summary['failed'], 1) self.assertEqual(summary['skipped'], 0) self.assertEqual(summary['parsing_errors'], 0) for record in report.failed_checks: self.assertIn("FAILED", record.file_path) self.assertIn(record.check_id, [check.id]) for record in report.passed_checks: self.assertIn("PASSED", record.file_path) self.assertIn(record.check_id, [check.id])
def test_summary(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_KubeletAuthorizationModeNotAlwaysAllow" report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() self.assertEqual(summary['passed'], 1) self.assertEqual(summary['failed'], 1) self.assertEqual(summary['skipped'], 0) self.assertEqual(summary['parsing_errors'], 0) for record in report.failed_checks: self.assertTrue("FAILED" in record.file_path) self.assertTrue(record.check_id in [check.id]) for record in report.passed_checks: self.assertTrue("PASSED" in record.file_path) self.assertTrue(record.check_id in [check.id])
def test_summary(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_KubeletProtectKernelDefaults" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() self.assertEqual(summary['passed'], 1) self.assertEqual(summary['failed'], 1) self.assertEqual(summary['skipped'], 0) self.assertEqual(summary['parsing_errors'], 0) for record in report.failed_checks: self.assertIn("FAILED", record.file_path) self.assertIn(record.check_id, [check.id]) for record in report.passed_checks: self.assertIn("PASSED", record.file_path) self.assertIn(record.check_id, [check.id])
def test_summary(self): runner = Runner() current_dir = os.path.dirname(os.path.realpath(__file__)) test_files_dir = current_dir + "/example_ControllerManagerBindAddress" report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() self.assertEqual(summary['passed'], 1) self.assertEqual(summary['failed'], 2) self.assertEqual(summary['skipped'], 0) self.assertEqual(summary['parsing_errors'], 0) for record in report.failed_checks: self.assertTrue("FAILED" in record.file_path) self.assertTrue(record.check_id in [check.id]) for record in report.passed_checks: self.assertTrue("PASSED" in record.file_path) self.assertTrue(record.check_id in [check.id])